How to enable up VMware vSAN Encryption

Introduction

This little post is a ‘how to guide’ for enabling encryption on VMware vSAN. To do this, we’ll need a few ingredients:

A VMware vSphere 6.5 cluster with VMware vSAN enabled

A Key Management Server Solution (KMS)

The Key Management Server (not to be mistaken for Microsoft’s license key solution) provides encryption keys for vSAN encryption. This should be a robust solution (ideally, multiple nodes) as without this, vSAN becomes inaccessible! Also, a tip – don’t put your KMS solution in the vSAN you’re about to encrypt, that would be a really bad idea!

In the case of the estate stood up for this blog post, HyTrust KeyControl 4.1 was deployed. It’s an easy to use product that does exactly what’s required.

Registering the KMS in VMware vSphere

VMware vCenter supports the KMIP standard (VMware have certified a number of products) for connected KMS servers. In the case of our HyTrust KeyControl appliance, we have to enable the KMIP server service and set the protocol to version 1.1.

We also need to set up a service User account on here. It’s important not to set a password for this account. We’re using certificates to authenticate and setting a password prevents vSphere from using the account with the HyTrust solution. We download the SSL certificate for the user (this is a ZIP file containing the CA certificate and user certificate as PEM files).

Logged on as an administrator in the VMware vCenter Web Client, we open up the configuration of the vCenter server and add our KMS:

We enter a name for the cluster and the details for the first node (we can add other nodes under this cluster later). The port is 5696 for most solutions.

We then have to trust the certificate for the Server:

At this point, we have the configuration, but it’s yet to establish a trusted connection. We need to establish the trust using the menu option below:

There are a few ways of achieving this (see the screenshot below), but we’ll be uploading the certificates snagged earlier:

In our case, we upload the User PEM twice:

And, voila, we’re ready to go forth and enable vSAN encryption

Enabling VMware vSAN Encryption

Here’s the easy bit. We’ll assume that you already have vSAN up and running and will be enabling vSAN encryption. If this is a pre-existing cluster, remember to leave room in the cluster to accommodate the emptying and reformatting of a host. This operation will temporarily remove a host from the cluster as the disk formatting is changed.

We open the Cluster Configuration and select vSAN>General.

Edit the settings to enable Encryption. We can erase the disks before use if we wish, but the key item is selecting the KMS server and clicking OK. Allowing reduced redundancy reduces the number of VM data moves while the process to encrypt is under way.

At this point the cluster will reconfigure, enabling de-duplication. This can take a little while so be patient. And that’s it done.

Closing Thoughts

This is a relatively simple feature to enable, providing a measure of data security for little effort.

If you’re considering developing a VMware vSAN based estate and need assistance, please contact Xtravirt, and we’d be happy to use our wealth of knowledge and experience to assist you.

Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He was awarded VMware vExpert 2019.